Test subject – Oxar, a HiddenTear variant

Oxar is a HiddenTear variant with a highly destructive potential. It features anti-debugging characteristics like protected memory zones, as well as environmental awareness to identify Sandobx environments. The ransomware encrypts user data into new files with the “.OXR” extension, and then removes the original. It demands a Bitcoin payment (amounting $100) in exchange for the decryption key.

Oxar ransomware test facts

The behavior of this sample varies in terms of how fast it attacks the files. In this case, the encryption process starts immediately, but there are cases where the encryption process is delayed and the payload is idle for several tens of seconds. TEMASOFT Ranstop detects the ransomware activity immediately after the encryption process started. It stops and quarantines the malicious process while firing an alert. Soon after, the automatic recovery process restores the damaged files and performs a cleanup of the encrypted content.

Oxar ransomware test results

TEMASOFT Ranstop successfully stopped Oxar and recovered the damaged files. The test resulted in zero file loss and no downtime.

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.